An introductory session about Social Engineering presented at ICT Nuggets Forum - Khartoum, organized by Duko team. We talked about what is social engineering? terms related to it? and how attacks can bee carried. We also told a lot of stories about successful social engineering attacks and how much damage they did. Finally we talked about how to protect yourself and your company social engineering attacks.
4. Introduction about Myself
• Ahmed Abbas Mohammed.
• Graduated from SUST-CSIT, Networks department.
• Currently working as an Information Security Administrator.
• Organizer and speaker at OWASP Khartoum.
• Member at Sudan-T00r and Hex Hex security teams.
• Interested in physical security, security awareness and psychology.
13. What is social engineering?
• the art of manipulating, influencing, or deceiving
you in order to gain control over your computer
system. The hacker might use the phone, email,
snail mail or direct contact to gain illegal access.
• Why spend thousands of dollars on sophisticated
hacking software when you could just trick
someone into telling you the password?
20. Humans Weak Points
• Diffusion of Responsibility
• Chance for Ingratiation
• Trust Relationship
• Guilt
• Desire to help.
21. Why is Social Engineering Effective?
• Manipulates legitimate users into undermining their own
security system
• Abuses trusted relationships between employees
• Very cheap for the attacker
• Attacker does not need specialized equipment or skills
Who visited your facebook account ..
Who blocked you ?
Who is your best firend ..
Win free stuff
Phishing involves false emails, chats, or websites designed to impersonate real systems with the goal of capturing sensitive data. A message might come from a bank or other well known institution with the need to “verify” your login information. It will usually be a mocked-up login page with all the right logos to look legitimate. It could also be a message claiming you are the “winner” of some prize or lottery coupled with a request to hand over your bank information, or even a charity plea after a big natural disaster with instructions to wire information to the “charity/criminal”.
Pretexting is the human equivalent of phishing, where someone impersonates an authority figure or someone your trust to gain access to your login information. It can take form as fake IT support needing to do maintenance, or a false investigator performing a company audit. Someone might impersonate co-workers, the police, tax authorities or other seemingly legitimate people in order to gain access to your computer and information.
Quid Pro Quo is a request for your information in exchange for some compensation. It could be a free T-shirt or access to an online game or service in exchange for your login credentials, or a researcher asking for your password as part of an experiment in exchange for $100. If it sounds too good to be true, it probably is quid pro quo
In 2009 Coca Cola was deeply hacked.
It all started with an email that has this subject line:
“Save power is save money! (from CEO)”
Executive Paul Etchells was the first victim.
major upcoming acquisition of a Chinese firm, a deal that later fell apart because of hackers
The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.”
The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled “2011 Recruitment plan.xls.
The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). As a side note, by now Adobe has released a patch for the zero-day, so it can no longer be used to inject malware onto patched machine
Edward Snowden used login credentials and passwords provided unwittingly by colleagues ... to access some of the classified material he leaked. ... A handful of agency employees who gave their login details to Snowden were identified, questioned and removed from their assignments. ... Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator. ... People familiar with efforts to assess the damage to U.S. intelligence caused by Snowden's leaks have said assessments are proceeding slowly because Snowden succeeded in obscuring some electronic traces of how he accessed NSA records. ... The revelation that Snowden got access to some of the material he leaked by using colleagues' passwords surfaced as the U.S. Senate Intelligence Committee approved a bill intended in part to tighten security over U.S. intelligence data. One provision of the bill would earmark a classified sum of money ... to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization.'"
Paul Allen, a co-founder of Microsoft, recently became a victim of a social engineering scheme. Brandon Price, an army deserter from Pittsburg PA, was able to obtain Allen’s debit card through Citibank’s call center. Price impersonated Allen on the phone call and changed the account’s address to his own; He then ordered a new debit card which was subsequently sent out. Price used this card to make a payment on a loan and then attempted a failed wire transfer and in-store purchase.
To understand what happened, you must know that Catholic Healthcare West, the hospital chain in question, signed a contract with Merced County, California, to operate a medical center in the San Joaquin Valley.In order to be able to do that, the chain had to maintain an escrow account with $7.5 millions in it. At the same time, it decided to change banks, but needed the approval of the county's Board of Supervisors to do that. They did approve but, unfortunately, the county put a partial copy of this agreement on its official website, complete with the signatures of the chain's CFO Michael Blaszyk and the Merced County Director of Public Health Tammy Chandler.Armed with the name of the bank where Catholic Healthcare West had the account and the name and signature of the chain's CFO, the fraudster put the plan in motion in December 2011, Forbes reports.First he faxed a request for Wells Fargo to wire $445,000 from the chain's escrow account to one in the HSBC bank in New York. Although "signed" by Blaszyk and Chandler, the transfer was denied because the account at HSBC was nonexistent. The escrow agent moved to check with HSBC why the request was rejected - or so he thought. Unfortunately, he called the bank's number he got off the fax, and got an answering machine. The number actually belonged to the fraudster, who called back after a short period of time, posed as Blaszyk, and told the escrow agent to ignore the wire transfer request.A week later, the fraudster tried again. This time, a request was made for the same amount to be transferred to an account under the same name in bank in Hong Kong. Again, the request was rejected on same grounds.Almost a week later, the escrow agent received a third wire transfer request: to send $989,000 to an account in the name of Textil Trading UK Limited at another bank at the Standard Chartered Bank in Hong Kong. And this time, the account existed, the request was approved and the money was transferred.Seeing that the scheme was finally successful, the fraudster tried again three times. The first request was denied because the transfer of the amount requested would require the bank to sell securities, and the fraudster didn't indicate which ones. The second one hit another jackpot, and $1.1 million were wired to the Hong Kong account. And the third one - a request for a transfer of $2.2 million - was when the escrow agent began to suspect something was wrong. He finally called Catholic Healthcare West and found out that all the earlier requests were not sent by them.Wells Fargo has since reimbursed Catholic Healthcare West for the stolen money, and has engaged a legal team to try to get the stolen money - or what is left of it - back from the hong Kong account. They are also working with law enforcement on finding the individual(s) behind the fraudulent scheme.
http://www.net-security.org/secworld.php?id=12516
Social engineering an employee to give the creds
Initial reports from Rapid7 revealed that a spoofed DNS change request sent by fax to Register.com led to the domains being hijacked. However, after further investigations, Register.com determined that the hackers social engineered an employee into handing over legitimate credentials.
The top military commander in NATO has been targeted by attackers wielding fake Facebook pages.Attackers have been creating Facebook pages under the name of Admiral James Stavridis, NATO's Supreme Allied Commander Europe (SACEUR), in an attempt to lure his colleagues, friends, and family into connecting with the account and divulging private information, reported The Observernewspaper in Britain on Sunday.
"There have been several fake SACEUR pages. Facebook has cooperated in taking them down… the most important thing is for Facebook to get rid of them," a NATO official told the Observer, noting that similar attacks first began about two years ago.
The fake pages are cause for concern for NATO officials, who have been turning to social media to disseminate more news relating to the alliance. In October, Stavridis used his Facebook page to announce the end of military operations in Libya. "First and foremost, we want to make sure that the public is not being misinformed. SACEUR and NATO have made significant policy announcements on either the Twitter or Facebook feed, which reflects NATO keeping pace with social media. It is important the public has trust in our social media," said the NATO official.
http://www.darkreading.com/risk-management/facebook-social-engineering-attack-strikes-nato-/d/d-id/1103308?